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(54) Method and apparatus for data verff icatlon 



(57) A token 12 creates utilization history informa- 
tion and sends the inforrretion to an information 
processing unit 1 1 and simultaneously creates an verifi- 
cation value and stores the value in a utilization- value 
holding unit 21. The information processing unit 11 
records the utilization history information in a history 
holding unit 16. On receiving a verification-value output 
request from the information processing unit 11, the 
token 1 2 provides the verification value with a signature 
and outputs the conibtnation of the verification value 
and the signature. Tlie information processing unit 
sends to a recovery unit 13 tiie verification value with 
the signature as well as the utilization history informa- 
tion. The recovery unit 1 3 verifies the signature and also 
the utilization history on the basis of the verification 
value further. 
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Description 

BACKGROUND OF THE INVENTION 
5 1. ReW of the Invention 

The present invention relates to the technology of verifying data and more particularly to dala-verifytng techrxrfogy 
fit for use in general infornation processing urtits designed to transmit or hold a large continuous number of data 
groups, for example, a utilization history in security. 

10 

2. Description of the Related Art 

With the recent progress of cfigital information processing technology, an idea of information highway and so forth, 
the time has come at last in that every sort of information is digitized, and the cfigital information is dtstrabuted and ctr- 

15 culated through networks. The distribution arvJ circulation of various kinds of information in the form of images, anima- 
tions, voice, programs and the like, to say notiiing of character information, have alr^dy been started via Internet, 
telecommunications-personal computer or in the form of CD-ROMs. 

However, the digital information in the form of characters, images, animations, voice, programs and the like is of no 
value unless such information is utilized because it is cSfferent from physical n^er arxi unsubstantial arKi easy to copy 

20 at low cost Despite the features mentioned atxsve. however, restrictions have been imposed on the copying of what is 
owned by someone once because one is to pay therefor at present. In o^er words, there is suspicion that easiness of 
copying and that easiness of copying at low cost that feature the digital information to the fullest extent are confined by 
artsitrary rules. 

In order to solved the foregoing problems, there has recentiy appeared a system of making digital information uti- 
25 lizable by decrypting the information. More specifically, the digital information as represented by programs is encrypted 
so as to render the infornration freely distra3utat)le and when the information is utilized, each user receives a decrypting 
key after paying a price therefor. In view of the fact that information is of no value unless it is utilized, moreover, there 
has also been [proposed a system of charging a payment for the utilization of information such as a software service 
system as disclosed in Japanese Patent Putslication No. 95302/1994 and an apparatus for measuring the quantity of 
30 utilized information as disclosed in Japanese Patent Laid-Open Na 21 276/1 995. 

With the aforementioned technologies, users are not asked to buy software when the software as represented by 
programs is utilized over personal computers and workstations but while they are able to acquire ttie software free of 
charge or at a moderate price, charged with a payment in proportion to the quantity utilized, for example, each time the 
software is utilized. 

35 In order to charge a payment for the utilization of information, the charge has to be paid by each of the individual 
users, depending on the frequency of use. tn a certain case, the charges collected in a lump htave to be distributed to 
information providers in proportion to the frequency of use. Consequently, the utilization history in the user environment 
has to be recorded in security and also recovered in safety. 

Nevertheless, though a utilization meter functioning as wfmt records a utilization history has been mentioned in 

40 Japanese Patent Laid-Open No. 21276/1995. no reference has been made of how to recover the quantity of utilization 
actually recorded therein. 

There has been proposed a method for the aforementioned purpose which is not to use a recording device under 
tiie centred of an information processing device, for example, a hard disk with ^ich the user utilizes the utilization his- 
tory but to use an independent safety device. According to Japanese Patent Pul)lication Na 95302/1994, for example, 
45 a utilization history is to be written to an IC card. 

In a chargeaUe information transmitting system according to Japanese Patent L^-Open No. 25605/1991 and a 
chargeable irrformation collecting system according to Japanese Patent Laid-Open No. 180762/1994, chargeable infor- 
mation is recovered through networks. 

When a history written to a safely device such as an IC card is recovered, there has been proposed a method of 
50 using a network or allowing a collector having a proper right to collect the history directly from such a device. 

Under the method of collecting the history through the networK however, vo consideration has been given to 
safety; the safety of chargeable information, that is, the possibility of falsification of chargeable information on the way, 
or othenwise the possibility of transmission of dishonest chargeatde information from any one of the users. Therefore, 
the problem is that the aforementioned method remains unapplicaWe, in view of safety, to Internet open to the general 
55 public, though it is applicable to in-house networks that can be relied upon to a certain degree. 

In order to safely recover the history in the form of an IC card in the apparatus, it has been the only way ttiat a col- 
lector having a proper right to collect the history directiy therefrom. 

With the recent development of encrypting technology, however, the use of digital signature technology in particular 
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makes it possSile to solved the aforementioned problem. More spedftcally. a private key peculiar to the safety dance is 
enctosed therein and when a user wants to retrieve data from the safety device, the user is always called for providing 
a signature, whereby whetiier or not the data is right can be confirmed later by verifying the digital signature accompa- 
nying the data. 

5 A technique of using RSA (Rivest-Shamir-Adleman) cryptosystem for digital signatures is widely krwwn. However, 

signatures by means of RSA or any other digital signatures generally need a large quantity of calculations arxJ so do a 
great deal of time per process normally. Therefore, a serious problem is fxjsed when a signature has to be provided for 
continuous data in great quar^es or when a computer with lew calculating capability is used for processing signatures. 
When the IC card is used as a safety device for recording the utilization history, the calculating capability of CPU 

TO mountable in such an IC card is often rather low in general and the problem is that a great deal of time is required when 
the CPU s used to carry out a large quantity of calculations. If, however an attempt is made to increase the calculating 
capability in order to raise the calculating speed, this arrangement will become extremely costly. 

There also exists a problem arising from a recording capacity when total data corKeming the utilization history is 
recorded in a small device like the IC card because the data regarding the utilization history is usually of great length. 

IS The security of modem erwyption technology including the RSA is originally based on tfie quantity of calculations, 
arvj the length of the key used for a signature and cryptosystems is arranged so that it is increased as the capabilities 
of the computer increase. Consequently, this problem is not made solvable by only increasing the capabilities of a com- 
puter in future but stil) remains essentially to await a solution since use can be made of equipment (e.g.. a personal 
token) only capable of employing a computer whose processing performance is far low in conparison with the highest 

so performance that can be offered by the newest model of computer of the day 

SUMMARY OF THE INVENTION 

An object of the present invention made in such circumstances as descrtoed above is to provide a method of mak- 
25 ing possible the creation of data verifiable at high speed even Ijy an apparatus having low calculating capability. 

More specifically, the total utilization history is rxrt held in an IC card but only verification values obtainatile from tiie 
utilization history are hekl in the IC card, and the utilization history proper is held on the part of an information process- 
ing unit (e.g., a personal conputer or the like) to be controlled by a user. 

Referring to the prior art in view of the verification values, there is technology errployed for data communication. 
30 called DES-MAC. MAC is an abbreviation of Message Authentication Cryptosystem having a predetermined lengtii 
showing that a message is complete (i.e., any message that has not been altered dishonestiy). The cryptosystem is 
used after being attached to an original message. Since the occurrence of an error during the data communication £ 
fatal, an arrangement is made so that a change in data during the data communication can be detected. 

Further, DES is an abbreviation of Data Encryption Standard, which is a block encryption algorithm (Applied Cryp- 
35 tography pp 265) with 64 bits used for one block. A CBC (Cypher Block Chain) mode (Applied Cryptography pp 193, 
JIS-X5051) is one kind of way of using block cryptosystems as represented by DES, that is. a system of not enaypting 
an individual block independently but of exclusively ORIng a block encrypted immediately before and a block to be 
encrypted next so as make the value obtained a DES input. Even when blocks having the same contents urxJer this sys- 
tem are encrypted and when the block that has been encrypted until then is different, the encrypted result will also 
40 become different. 

The DES-MAC (Refer to Applied Cryptography pp 455 for CBC-MAC) is an application of tiie CBC mode in the 
DES, according to which the block obtained last is used for the verification value of the total data stream. 

Fig. 21 shows an arrangement of DES-MAC. A stream of data to be transmitted is shown in the upper portion of 
Fig. 21 and the data stream is divided into blocks each having 64 bits. IV is an abbreviation of Initial Vector representing 
45 an initial value formed of random numbers. The blocks resulting from tiie division is passed in a chain through DES 
encryptors as in the DES-CBC mode by adding IV to the head of the data stream and the block obtained last to the last 
position thereof as tiie verification value of the data sti-eam for transmission. On the receptfon side, a verification value 
is obtained by performing the process in reverse order and compared with the value received tor verification. 

The processing metinod like this is basically intended for data transmission by means of communication. Since a 
so sender sets it forth as a premise to hold complete data in a short time with certainty, there will develop a problem if the 
premise is applied to the recovery of a complete history. This is because history data are accumulated over a long 
period of time, during which the data may arbitrarily be controlled by users or the system may have acdd&its and thus 
be exposed to danga^. 

To begin with, the aforementioned system (DES-MAC) is base on the assumption that the data blocks are continu- 
es ously trar^smitted. In other words, for the ti-ansmtssion of ordinary data, there exists a lower layer (equivalent to a TCP 
layer in TCP/IP: ti-ansmission control protocol/Internet protocol) and the order of data blocks is assured by ttiat layer. 

If, however, the utilization history is put under the control of the user, the order of histories becomes unassured at 
that point of time; that is. the user is alfowed to use the IC card by connecting it to a plurality of computers (e.g., a desk 
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top PC. a lap top PC. etc.) that the user can use. When it is into consideration that the utilization history is recorded on 
the corrputer side, the utilization ht^ory ts scattered in the plurality of computers. Consequently, the history thus scat- 
tered in the plurality of conputers is deprived of the order in terms of tima 

In the case of a utilization history, the time order is an extremely important factor. In other woids, the usage may be 
5 calculated later from the plurality of continuous histories. For example, there are cases: namely, a simple case where 
utilization time is calculated from the difference between utilization start time arxl utilization end time; another case 
where the usage is determined by calculating a difference in data lengtii from data length as an object of operation at 
the utilization start time and from data length as an object of operation at the utilization end time; and so forth. 

The DES-MAC has furnished no substantial solutions to the foregoing problems. 
10 A further problem arising when the utilization history is put under the control of the user is that part of the utilization 
history may be lost intentionally or by accident. In the case of DES-MAC, verification will become inpossit)le if part of 
the utilization history is lost Since the DES-MAC is based on the assumption that the sender holds complete data only 
during the communication, carrying out retiansmission will settie the case. However, the loss of the utilization history 
means the substantial loss of data and tiierefore the restoration of tiie history t>ecomes impossible. The still continuous 
15 use of the DES-MAC system makes infeasS^le even the verification of the remaining data. 

In a system of charging a payment for the usage, further, it is prerequisite for tiie user to recover the history left on 
hand. Unless the history is recovered, there will develop a problem of rervlering uncalculable the utilization fee charged 
against the user or otherwise Tendering the collected utilization fee undistributable to information providers. 

Thus, the utilization history left with the user has to be recovered safely and to this end, it is avoided that the utili- 
20 zation history is recovered urxler false recovery instructions. 

An object of the present invention is therefore to provide an apparatus capatile of verifying lengthy data quickly even 
witii its low calculating capability and snrtall storage capacity. 

Further, a second object of tiie present invention is to provide a method of making data order restorable even in 
such an environment that the order is not preserved. 
25 Further, a third object of the present invention is to provide a method of making the remaining data verifiable even 
v^en part of tiie data is lost. 

Further, a fourth object of the present invention Is to provide a method of controlling a data-holding apparatus safely 
from the outside. 

In order to solved the foregoing problems according to the present invention, basically data is rxrt recorded in a pro- 
se tective apparatus to reduce the quantity of data to be hekl but output from the protective apparatus outside and verifi- 
cation values small in data quantity are heU in the protective apparatus instead. More specifically, unidirectional 
functions in place of digital signatures are used for verification so tinat data may be verified quickly. When hash functions 
representing MD5 are realized in software, hash values are said to result in proving that they are higher in speed by 
three digits than the encrypting process of RSA. In order to make the order of history data restorable, further, restorable 
35 information is added to the order of history data. More specifically, it has been arranged that the value provided with a 
signature of a right person is necessitated with respect to the verification value held by tiie protective apparatus, 
whereby the verification value in the protective apparatus is forcibly sent to the right person to ensure that the verifica- 
tion is effected. 

A desatption will sutjsequently be given of the constitution of the present invention. In order to accomplish the 

40 objects above according to the present inverrtion. a data verifying method comprises the steps of: creating a verification 
value of a data body inside a protective apparatus from a verification value of the relevant data body out of a plurality of 
data bodies generated in sequence and a verification value of a data body preceding tiie relevant data body, creating a 
verification value with a signatijre by adding a digital signature inside the protective apparatus to the verification value 
created for the last data body out of the plurality of data Ixxlies to be verified at a time, serxilng the verification value 

45 witii the signature outside from the protective apparatus, and verifying the plurality of data bodies t>ased on the plurality 
of data bodies and the verification value with the signature. 

With this arrangement it is only needed to provide the verification value with the digital signature &fen though the 
calculating cap^iiity is low. Since the verification can be calculated from the verification value with respect to the pre- 
ceding data body and the data body this time, tiie processing is performable as long as one data body and one verifi- 

50 cation value are holdable, which means the storage capacity may be snnall. 

In order to accomplish the objects above according to the present invention, further, an apparatus for creating data 
to be verified is provided with: means for generating data bodies in sequence, verification value holding means for hokj- 
ing verification values, verification value creation means for creating a new verification value from the verification value 
held in the verification value holding means and a newly generated data body and updating the verification value held 

55 in tiie verification value holding means to the new verification value, arxj signature means for attaching a signature to 
the verification value held in tiie verification value hokling means at predetermined timing, wherein the verification value 
creation means, the verification value holding means and the signature means are installed in a protective apparatus. 
Even with this arrangement, it is only needed to provide the verification value with the digital signature even though 
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the calculating capability is low. Since the verification can be calculated from the verification value with respect to the 
preceding data txxfy and the data body this time, the processing is performaUe as long as one data body and one ver- 
ification value are holdatkle, which means the storage capacity may be small. 

In order to accorrplish the objects above according to the present invention, further, there are provided a plurality 

5 of data bodies generated in sequerKe, means for receiving a verification value with a signature resulting from providing 
a signature for the verification value calculated from the plurality of data bodies, signature verifying means for verifying 
the signature on the verification value received, arxj verifying means for verifying the conectness of the plurality of data 
bodies received from the verification value with the signature verified by the signature verifyirtg means. 

With this arrangement the quantity of calculations is reducible since the verification of the signature is effected for 

w only the verification value with the ^gnature. 

In order to accomplish the objects above according to the present invention, further, a history holding method is 
used for fv>lc£ng in a protective apparatus only a verification value resultir^ from sequential calculations with respect to 
a group of Nstory data comprising a plurality of continuous history data, and providing a sigrtature for only the verifica- 
tion value when the verification value is output from the protective apparatus outside. 

15 With this arrangement, not only the quantity of calculations but also the storage capacity can be suppressed. 

In order to accomplish the objects above according to the present invention, further, a history holding apparatus is 
provided with: data input means for inputting a plurality of continuous data, data processing means for processing the 
data, verification value aeation means for creating a verification value with history data relevant to the data processing 
and the verification value held at this point of time as inputs, verification value holding means for holcfing the verification 

20 value thus created, and signature means for providing a signature for the verification value, wherein the verification 
value creation means, the verification value holding means and the signature means are at least installed in a protective 
apparatijs. 

Wfth this arrangement, not only the quantity of calculations but also the storage capacity can be suppressed. 
Wrth this arrangement likewise, unidirectional functions may be used for calculations applicable to the verification 

25 value creation means. The history data may be in the form of a combination of the hi^ory data body and the verification 
value at the time tine history data is processed. Further, courrter means for doing counting each time data is processed 
may be provided and the history data in the history data group may be in the form of a combination of the value of the 
counter when the data is processed and a history body. The verification value witii tiie signature may be output in com- 
pliance with a user's request. The history holding means may comprise a single CPU with software arxJ when the load 

30 Of the CPU applied by the data processing means is low. tiie signature means may creates and outputs the verification 
value with the proper signature. 

Wrth this arrangement further, function stopping means may be provided and used for stopping the function of the 
data processing means at a point of time the verification value is output until a proper instruction is given from the out- 
side. Halt condition holding means may be provided arxJ used for stopping the function arxJ when the conditions 

35 desaibed in the halt corxlition holding means are met. the function halt means may output the verification value with 
the signature written thereto and stop its function. Further, proper public-key holding means may be used for holding a 
public key of an external right person, and the function halt means may verify tiiat an accepting instruction is intended 
to restore the function con-esponding to the lastiy-output verification value provided with a digital signature made by the 
external righit person and that by verifying the signature with the public key held by the proper public-key holding means 

40 at the time of receiving the instruction, wriie^er or not the verification value with the signature is equal to the verification 
value held by the verification value holding means. 

In order to accomplish -the objects above according to the present invention, further, a history verifying apparatus 
may be provided with: data input means for Inputting a verification value with a signature, the signature being provided 
for the verification value calculated from a plurality of continuous history data in group and from the data groups, signa- 

45 ture verifying means for verifying tiie signature of the verification value thus received with the signature, arxl verifying 
means for verifying the correctness of the data group received from the data group received arxl tiie verification value 
whose signature has t>een verified. 

Wrth this anangement the quantity of calculations is redudlile since the verification of the signature is effected for 
only the verification value with the signature. 

so Wrth this arrangement, further, previous verification value storage means may be provided and used for storing the 
verification value received the last time, and the verifying means may enrtploy tiie pre^ous verification value when mak- 
ir>g verification. The calculations for use In the verifying means may be based on unidirectional functions. The history 
data may be in the form of a conrt^ination of the history data txxJy and the verification value at the time the history data 
is processed. The history data in the history data group may be in the form of a combination of the value of the counter 

55 when the data is processed and a history body. 

In order to accomplish the objects above according to the present invention, further, a history holding apparatus 
may be provided with: data storage means for holding data, halt condition holding means for holding predetermined 
conditions at the time the function Is stopped, function haft means for stopping the function when the conditions held in 
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the halt ooncfition holding means are met and keeping the function stopping until a proper instruction is received from 
the outside, private-key holding means for holding a private key, digital signature means for providing a digital signature 
using the private key held in the private-key holding means for the data group held in data holding means, digital signa- 
ture holding means for holding the digital signature affixed, and proper putslic-key hoUing means for holding the putjCic 

5 key of an external right person, wherein the furx:tk)n haft means may verify that an accepting instruction is irtteixled to 
restore the function corresponcEng to the digital signature provided by the external right parson itx the digital signature 
held in the cfigital signature holding means and that by verifying the signature with the putilic key held by the prcper pub- 
lic-key holding mearts at the time of recaving the instruction, whether or not the value with the signature is equal to the 
value held by the digital signature hokfing means. 

10 With this arrangement, the instruction with the signature of the proper person is rwt sent until the correctness of the 
history is verified, and the halt state of the apparatus is not release not untfl the correctness of the instruction is verified. 
TTierefore, no inconvenience arises from the provision of service while the correct history remains unrecovered. In other 
words, it is ensured that the con-ect history is recovered. 

According to the present invention, dectronic equipment is provided with: function halt means for stopping at least 

IS part of the function of an dectronic equipment body when predetermined conditfons are met. means for outputting pre- 
determined data outside, means for receiving data with a signature, the data being created by providing the signature 
for the predetermined data, signature verifying means for verifying the sigrtature with respect to the data with the sig- 
nature, and means for releasing the halt state of that part of the function when the correctness of the signature of the 
data with the signature is verified by the signature verifying means. 

so With this arrangement the use of the electronic equipment is not made to continue until the correctness of the data 
is verified, so that correct data is secured. 

Furrier, the present invention can be implemented by appropriating part thereof to a corrputer program product 
The above and other objects and features of the present invention will be more apparent from the following descrip- 
tion taken in conjunction with the accompanying drawing. 

25 

BRIEF DESCRIPTION OF THE DRAWINGS 

Rgure 1 is an overall block diagram of Embodiment 1 of the present invention; 

Rgure 2 is a block diagram shewing the construction of an informatfon processing unit 11 of Fig. 1 ; 
30 Rgure 3 is a block diagram showing the construction of a token 1 2 of Rg. 1 ; 

Rgure 4 is a diagram explanatory of a utilization-value holding unit 21 of Fig. 3; 

Rgure 5 is a block diagram showing the construction of a recovery unit 13 of Rg. 1 ; 

Rgure 6 is a diagram explanatory of information to be decrypted in the token 12; 

Rgures 7A and 7B are diagrams explanatory of the construction of a utilization history; 
35 Rgure 8 is a flowchart explanatory of processing to be performed in the control unit 1 4 of ttie information process- 
ing unit 1 1 when a request for the utilization of information is received from a user; 

Rgure 9 is a flowchart explanatory of processing to be performed in the control unit 14 of the information process- 
ing unit 1 1 when an instruction for the recovery of the utilization history is received from a user; 
Rgure 10 is a flowchart explanatory of processing when the decryptor unit 19 of the token 12 receives a request 
40 for decrypting encrypted information from the information processing unit 1 1 ; 

Rgure 1 1 is a flowchart explanatory of processing to be performed in the utilization-value creating unit 20 of tfie 
token 12 which is called from the decryptor unit 19 of the token 12; 

Figure 1 2 is a flowchart explanatory of processing when the utilization-value output unit 22 of the token 12 receives 

a verification- value output request from the information processing unit 1 1 ; 
45 Rgure 1 3 is a block diagram showing the construction of the token 12 in Embodiment 2; 

Rgure 1 4 is a flowchart explanatory of processing to be performed in the token 12 of Rg. 13; 

Rgure 1 5 is a flowchart explanatory of processing to be performed in the token 12 of Rg. 13; 

Rgure 1 6 is a flowchart explanatory of processing to be performed in the token 12 of Rg. 13; 

Rgure 1 7 is a block diagram showing the function block materialized in the information processing unit 1 1 in 
so Embodiment 2; 

Rgure 18 is a block diagram showing the construction of the recovery unit 13 in Embodimerrt 2; 

Rgures 19A to 19E are diagrams showing the construction of the utilization history in Emtxxliment 2; 

Rgure 20 is a diagram explanatory of another construction of the utilization history in ErrUxxliment 2; and 

Rgure 21 is a diagram explanatory of relevant technology. 

55 

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS 

Now, a description will be given in more detail of preferred emtxsdiments of the invention with reference to the 
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accompanying drawings. 
(Embodiment 1) 

5 Embodiments of the present invention will subsequently be descrft>ed. Rrst. Embodiment 1 of the present invention 

will be descrft>ed. tn a system to be descn'bed in Embedment 1 of the preserrt invention like any other systems accord- 
ing to the present invention as those which will be descrd>ed later, general digital information such as programs and 
image information that are encrypted and distrftxjted is utflized in an information processing unit like a personal compu- 
ter or a workstation by means of an IC card (hereinafter called the "token") connected to the infomiation processing unit 

10 in order to record the utilization history then by seizing timing at wtUch the information is decrypted, whereby to make 
the cerrter recover the utilization history. Needless to say, the present invention is applicable to any task other than 
securing history data. 

Fig. 1 shows an overall system configuration according to this embodiment of the invention. In Fig. 1 , there is shown 
an irrformation processing unit 1 1 like a personal computer or a workstatron for use in utilizing digital information in the 

IS user environment and in order to decrypt encrypted information (or to decrypt a key for decrypting, a token 12 for 
recording the utilization history by seizing the timing is connected to the information processing unit. The token 12 and 
the information processing unit 1 1 may be connected via any means capable of transmitting information such as a PC 
card (PCMCIA: Personal Computer Menx)ry Card Interface Association) interface, serial/jparallel, an infrared ray and 
the like. The token 12 may be packaged in the information processing unit 1 1 . 

20 The user's information processing unit 1 1 is connected to a recovery unit 13 constituted of an information process- 
ing unit such as a workstation or a large computer on the center side. Ttie connection may be in tfie form of a modem- 
to-tel e^^one line or a network interlace like Ethernet The connection is not nrtaintained at all times and may be made 
only when the recovery of the utilization history from the user's information processing unit 1 1 . 

Fig. 2 shows the constmction of the information processing unit 11 on the user side. The user's information 

25 processing unit 1 1 may be a personal computer or a workstation for general use. The only difference is that the token 
12 is connected to the infoonation processing unit 1 1 . The inftymation processing unit 1 1 includes a control unit 14, an 
information holding unit 15. a history holding unit 16 arxl an information transmission unit 17. With this arrangement, a 
recording medium 1 la stored with a program, for example, is used to install the program. 

While communicating with the token 12, the control unit 14 perfonns the following processes including: 

30 

(1) reading the encoded information stored in the irrformation holding unit 15. transferring the information to the 
tol^n 12 for decrypting purposes and executing or processing the information; 

(2) receiving the utilization history transferred from the token 12 simultaneously when the decrypted data is 
received and storing the utilization history in the history hokJing unit 16: and 

35 (3) issuing a "verification value output" commarxi to the token 12 on receiving an instruction from the user and 
transferring the utilization history provided with a digital signature to the information transmission unit 1 7. 

The irrformation holding unit 1 5 is stored with data, information or decrypted data to be utilized by the user. Actually, 
the information fiolding unit 15 is formed with an external storage device like a menxjry or a hard disc devrce. 

40 The history holding unit 16 is stored with the history transferred from the token 12 via the control unit 1 4. Actually, 
the history holding unit 16 is formed with an external storage device like a memory or a hard disc device. The specific 
construction of a history will be described later. 

On receiving the command from the control unit 14, the information transmission unit 17 reads out the history hekl 
in the history holding unit 16 together with the utilization history transferred from the control unit 14. and transmits the 

45 history to the recovery unit 1 3 of the center. The information transmission unit 1 7 is actually constituted of a modem and 
a telephone line or a network interface such as Ethernet However, a devfoe such as a floppy disc instead of Ethernet 
is used to store the data, so that the user may manually input it to the recovery unit 1 3 of the center. 

Fig. 3 shows the construction of the token 1 2 on the user side. The token 1 2 is physically and generally constituted 
of MPU. a memory arxl the like. The token 12 itself is contained in a container resistant to a physical attack from the 

50 outside. Since the attach-resistant container is technologically well known (Japanese Patent No. 1860463. Japanese 
Patent Laid-Open Na 100753/1991 . ete.), the description thereof will be omitted. To wfiat extent the container is resist- 
ant varies with the degree of security of the data Involved. There is a case where the preparedness for such an attack 
may be weak. 

TTie token 12 is connected to the user's information processing unrt 11. performs predetermined processing 
55 according to an instruction from the information processing unit 1 1 and returns the result thereta The token 1 2 com- 
prises a user private-key hokling unit 18, a decryptor unit 19, a utilization-value creating unit 20. a utilization-value hold- 
ing unit 21 . a utilization-value output unit 22, a token private-key holding unit 23, a digital signature unit 24 arxJ so forth. 
Each of the components of the token 12 will be described later. The token 12 has the following functions: 
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(1) Information decrypting function with holcfing of the utilization history including: 

(i) receiving encrypted data from the information processing unit 1 1 , decrypting the data with the private key 
stored In the user private-key holcfing unit 18, and returning the decrypted data to the information processing 

5 unit 1 1 : 

(ii) performing the decrypting process sinrxjltaneousty with refening to the header of the decrypted data and the 
identifier written thereto, and returning the klentifier to the information processing unK 11 as tiie utilization his- 
tory; and further 

(iii) transferring the utilization history to aJso utilization-value creating unit 20, and causing the utiiization-value 
10 creating unit 20 to make calculaticwis with re^^ect to the utilization hetory and the verification value held in the 

utilization-value holding unit 21 at that point of time. 

(2) Verification value output function including: 

75 providing a digital signature for the verification value held in the utilization-value holding unit 21 at that point of 

time on receiving an output request from the information processing unit 1 1 , returning ttie verification value 
with the sigr^ture thereta and erasing the data in the utilization-value hokJing unit 21 . 

A description will sut)sequentiy be given of each components of the token 1 2. 
20 In response to a decrypting request from the information processing unit 11, the decryptor unit 19 performs the 
decrypting process using a private key peculiar to the user held in the user private-key holding unit 18 and returns the 
result to the information processing unit 1 1 as encrypted data. At this time, the decryptor unit 19 simultaneously read 
the header of the erx^-ypted data, returns tiie information identifier written tiiereto to the information processing unit 1 1 
as the utilization history and also to the utilization-value creating unit 20 (in this example, the information identifier of the 
25 Irrformation utilized is used for tiie utilization history). 

With the arrangemerrt like this, the user needs to gain access whenever utilizes information, so that the utilization 
history is recorded without fail. 

In this case, tfie encrypted data transferred from the intomration processing unit 1 1 may be what is formed by 
encrypting information itself or a key for decrypting the encryprted information. In the case of the latter, the process of 
30 decrypting tiie information proper is performed on the side of the information processing unit 1 1 . 

The user private-key holding unit 18 holds a private key peculiar to the user. Generally, tokens 12 are distrbuted to 
users in such a form that a key peculiar to each user is erx:)osed beforehand at the token issuing center. Therefore, the 
user's private key remains unknown to the user himself. 

The utilization-value hokjing unit 21 hokJs only one verification value which is updated in sequence. Generally, tiie 
35 verification value is a value having a fixed length of 1 6 bytes or the like. If a verification value has 16 bytes, orrly a mem- 
ory of 16 bytes is employed, Fig. 4 shows an exanple of the formation of such a verification value. 

On receiving a verification value output request from the information processing unit 11 , the utilization-value output 
unit 22 functions as what reads the verification value stored in tiie utilization-value holding unit 21 at that point of time 
and retums the verification value to the information processing unit 1 1 . At tiiat time, the utilizatiorvvalue output unit 22 
40 calls the digital agnature unit 24 and provides a digital signature for the verification value. 

The digital signature unit 24 uses tiie private key held in the token private key hokfing unit 23 for holding a special 
private key tor tiie token to perform the process of providing a digital signature for the given value. The token private key 
holding unit 23 is a constituent unit for hoWing the private key for the purpose of signature used when a digital signature 
is made. For these constituent units, it is possit^e to use digital signature techrwlogy such as RSA signatore. of which 
45 the descrqstion will be omitted because it belongs to tiie prior art. 

On receiving the utilization history (the irrforrration identifier in thfe case) from the decryptor unit 19, the utilizatiorv 
value creating unit 20 reads the verification value hdd in the utilization-value holding unit 21 and calculates a new ver- 
ification value from the utilization history and the verification value by making the following cafoulation. 

50 H = Hash (Usage + Hokl) [Numerical Formula 1] 

where H = new verification value, Hold = the present verification value. Usage = utilization history and Hash 0 = unidi- 
rectional function, MD and SHA (Secure Hash Algoritiim) being actually employed. In this operation numerical val- 
ues may actually be added up or exclusively ORed on condition that both have the same length or otherwise two data 
55 may simply be arranged in order; in any one of tiie above cases, it is essential for the two values axe synthesized. The 
utilization-value creating unit 20 stores the new verification value thus calculated in the utilization-value hoMing unit 21 
(e.i., the new value is superscripted). 

On receiving the output request from the information processing unit 1 1 . the utilization-value output unit 22 returns 
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the verification value held in the utilization-vatue hotding unit 21 at that point of time and resets the utilization-value hold- 
ing unit 21 to a predetermined value or may simply dear the verification value thus held therein. 

The recovery unit 13 of the center will subsequently be descrS>ed. Rg. 5 shows the construction of the reco/ery 
unit 1 3. As shown in Rg. 5, the recovery unit 1 3 comprises a history reception unit 25. a history holding unit 26, a history 
5 verification urrit 27. a token public-Key holding unit 28. a signature verification unit 29 and so forth. The recovery unit 13 
causes the history reception unit 25 to receive the history sent from the information processing unit 1 1 of the user and 
stores the contents in the history holding unit 26. The utilization history stored is read by the history verif ication unit 27 
where it is verified whether or not the history is correct and then the verified result is sent to an administrator on the 
center side. 

10 Then the center normally calculates information utilization fees in accordance with the contents of the history, col- 
lects the fees from users and performs the process of distributing the utilization fees thus collected among information 
providers according to details of an information utilization history. However, the description of this matter will be omitted 
because it is irrelerant to the essence of the present invention. 

A description will sut»equentiy be given of each of the components of the recovery unit 13. 

15 The history reception unit 25 receives the history information sent from the information processing unit 1 1 . Actually, 
like the history transmission unit 17 of the information processing unit 1 1 (Rg. 2), the history reception unit 25 is con- 
stituted of a modem and a telephone line or a network interface such as Ethernet or an information input device from 
the outside such as a floppy disc. The utilization history recdved by the history reception unit 25 is stored in the history 
holding unit 26. 

20 In order to verify whether the verification value sent from the information processing unit 1 1 is correct, further, there 
are provided the token public-key holding unit 28 and the signature verification unit 29. 

When a history is transmitted from the information processing unit 1 1 . the history reception unit 25 receives the his- 
tory. The history thus received is stored in the history holding unit 26 and transferred to the signature verification unit 
29. The signature verification unit 29 selects the putslic key of the token 1 2 connected to the information processing unit 
25 11 that has sent the history from among the public keys of the plurality of tok^is 1 2 stored in tiie token public-key hold- 
ing unit 28. and verifies the signature of the history using the public key. The verified result is held together with the his- 
tory stored in the history holding unit 26. When the verified result is proved to be false, processing thereafter is 
discontinued since there is some possibility that the verification value has been altered dishonestiy or fabricated and 
the administrator outputs to that effect and stops the processing. 
30 When the signature is verified, the following processing is continued: 

The history holding unit 26 holds the utilization history transferred from the history reception unit 25 and the verified 
result. The history holding unit 26 is actually formed of a storage device such as a memory 

The history verification unit 27 verifies the history held in tiie history holding unit 26 as follows: 

35 (1) A series of histories transmitted are defined as udi, ud2, ud3...udn: 

(2) The verification value attached to the last position of the history is defined as hud: and 

(3) Provided the initial value of the verification value is defined as ihud. it is examined whether hud' resulting from 
calculation becomes equal to the hud sent according to the following expression: 

40 

[Numerical Formula 2] 

hud' = Hash (ud„ -i- Hash(ud^.i . .Hash(ud2 -i- Hash (udx + 

45 ihud) )...)•) 

hud = ?hud' 



50 

(4) K the equation is established, the verification value is judged that it has not been altered dishonestly but if not, 
it has been altered. The administrator of the recovery unit is then informed of the result 

A description will sutjsequentiy be given of the form of information to be processed in each unit. 
55 Rg. 6 shows a form of encrypted Information as an object of encrypting in the token 1 2: (a) refers to a case where 
information itsetf is encrypted with a user's private key; and (b) to a case where the private key used for initially encrypt- 
ing the information proper is encrypted by a private key peculiar to the user before being decrypted and the private key 
peculiar to the information thus obtained is used for decrypting the information proper. In the case of (b). the information 
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proper may be decrypted by the information processing unit, not by the token 1 2. Further, a public key may needless to 
say be used, though a description has been give of an example using a common cryptosystem. 

The information identifier is an identifier peculiar to the information given when the center encrypts the information 
for distribution. The information identifier is controlled by the certter (e.g., with a database) and when the information 

5 identifier is specified, it is possfiale to specify a person who has prepared the information, for example. 

Rgs. 7 A and 7B show a form of utilization history: Rg. 7 A shows a form of the utifization history recorded in the 
information processing unit 1 1 according to this embodiment of the invention, that is, a trEiin of information identifiers 
(the information decrypted by the token) utilized; and Rg. 7B shows a form of the utilization history sent from the infor- 
mation processing unit 1 1 to the certter, this form differs from that of Rg. 7 A solely in that the verification value hekJ by 

10 the token and the signature of the token with respect to the verification value are attached to the last position of Rg. 7A. 
Although the irxiividuat utilization history is constituted of only the information identifiers utilized according to this 
embodiment of the invention, it may include any data, for example, utilization time, the identifier of the user, the quantity 
of utilization, an utilization foe and so on. In other words, the present invention rs effective when various kinds of infor- 
mation are left as a history (various kinds of information are usually left as a history) since the individual history tends 

15 to become long. 

Referring to Rgs. 8 - 1 2, there will be given a description of processing performed in the information processing unit 
1 1 and the token 12. Rg. 8 refers to a processing fkiw when a request for the utilization of information is made from a 
user in the control unit 14 of the information processing unit 1 1 . Rg. 9 refers to processing when an utilization history 
recovery insb-uction is given by the user in the corUrol unit 1 4 likewise. Rg. 1 0 refers processing when the decryptor unit 

20 19 of tiie token 1 2 receives a request for decrypting the encrypted information from the information processing unit 1 1 . 
Fig. 11 refers to processing in the utilization-value creating unit 20 of the token 12 when called by the decryptor unit 19 
of tiie token 12. Rg. 12 refers to processir^g when the utilization-value output unit 22 of the token 12 receives a verifi- 
cation-value output request from the information processing unit 1 1 . 

As shown in Fig. 8. the following processing proceeds in the corrtrol unit 14 of the information processing unit 1 1 

25 when a request for the utilization of information is made from the user. First, a decision is made on whether the intended 
information has been encrypted [S1 1). If not encrypted yet, the information as it stands is processed (SI 5). If already 
encrypted, a decrypting request is made to the token 1 2 so as to transfer the interxjed infonnation (SI 2). When an error 
is returned from the token 12, the processing is terminated after issuing an error message "the history of the token is 
full" (313. Si 6). If no enor is returned, the utilization history fed from the token 12 is recorded in a recording unit such 

30 as a disc (Si 4). Then the intended information is processed (Si 5). 

As shown in Fig. 9. the followtng processing proceeds in the control unit 14 of the information processing unit 1 1 
when the utilization history recovery instruction is given by the user. First, a decision is made on whether the intended 
infomration has been encrypted (S21). If not encrypted yet, the information as it starxte is processed (S24). If already 
encrypted, the decrypting request is made to the token 12 so as to transfer the intended information (S22). Then the 

35 utilization history returned from ttie token 12 is recorded in the recording unit such as a disc (S23). Thereafter, the 
intended irrformation is processed (S24). 

As shown in Fig. 10, the following processing proceeds when the decriptor unit 19 of the token 12 receives a 
request for decrypting the encrypted information from the information processing unit 1 1 . First a user private key Ku is 
taken out from the user private-key holding unit 1 8 (S31). The encrypted data is decrypted with the user private key Ku 

40 and the decrypted data is stored (S32). The header of the decrypted data is refened to so as to read an information 
identifier and with this identifier as a subtraction number, the utilization-value creating unit 20 is called and made to per- 
form verification-value creating process (S33. S34, see Rg. 11). Then the deaypted data and the identifier are sent 
back to tiie information processing unit 1 1 (S35). 

As shown In Fig. 1 1. tiie following processing proceeds when the utilization-value creating unit 20 of the token 12 

45 receives a call from the decryptor unit 19 of the token 12. Rrst. tiie verification value is taken out from the utilization- 
value holding unit 21 (S41). The Information identifier and the verification value are subjected to hash calculation, and 
the calculated result is stored in the utilization-value hoWing unit 21 as a new verification value (S42, S43). 

As shown in Rg. 12. the following processing proceeds when the utilization-value output unit 22 of the token 12 
receives the verification-value output request from the information processing unit 1 1 . Rrst, the verification value stored 

50 in the utilization- value holding unit 21 is read out (S51). Then the contents stored in the utilization-value holding unit 21 
are initialized (S52). With the va-ification value thus read as a subtraction numt>er, the digital signature unit 24 is called 
so as to provide the verification value with a signature (S53). The signatijre is affixed to the last position of the verifica- 
tion value, and the verification value with the signature is output (S54). 
The description of Embodiment 1 is terminated for tiie moment 

55 In a case where a user verifying apparatus and method as disclosed in Japanese Patent Application No. 
62076/1996 are combined with ttie present invention, modulo n can be used as an Information identifier by varying ttie 
modulo Q in tiie calculation of power reskiue each time an access ticket is issued. More specifically, in tiie user verifica- 
tion technique of Japanese Patent Application No. 62076/1996, the access ticket (auxiliary information for verification) 
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is received from the outside, so that encrypted data, for example, is decrypted by the use of the access ticket and the 
user verification information. Further, the modulo a used then is used as an information identifier. In this case, the mod- 
uto n is not taken out before being decrypted by the decriptor unit inside the token but given from the outside together 
with information as an object of encrypting. 
5 With this arrangemerrt, the capacity of the utilization^ue holding unit 21 that has to be prepared within the token 

12 can be minimized and thereby the production cost of the token 12 is also made reducible. 

(Entxxliment 2) 

10 Embodiment 2 of the present invention will subsequently be described. Embotfimerrt 2 described herein has sev- 
eral functions in addition to those in Ernbodiment 1 . The functions and effects will be enumerated as follows: 

(1) The token 12 outputs the verification value and stops its function but recovers the function on receiving a mes- 
sage from the center. 

15 When the verificatfon value is output outside or when a predetermined time is passed by the use of a dock 

function, the token 12 outputs the verification value and stops at that point of time to urge the user to recover the 
history (or may autonomously stops so as to demand a verification value). In order for the user to have the function 
of the token 12 recovered, the only way is to send the history and the verification value to the center for verifying 
purposes and to receive a message for use in recovering the function from the center. The message issued by the 

20 center for the purpose of recovering the function is formed by provicfing the verification value sent from the user with 
the digital signature added by the center. 

(2) The verification value is also output at a point of time the utilization history as its history is processed. 

Not only the infor nation identifier but also the verification value at the pont of time the history is generated is 
contained in the contents of the utilization history, wheret>y strict control of the history (order) on the information 
25 processing unit side can be dispensed with since the continuity of the individual history is made examinable. 

(3) An old verification value is held on the center side. 

In the embodiments of the present invention up to now, the verification value within the token has been initial- 
ized in compliance with the output request from the user. However, this function can be dispensed with by making 
the recovery unit of the center hold the preceding verification value of the user. 

30 

Fig. 1 3 shows the construction of the token 1 2 according to this embodiment of the invention, wherein like reference 
characters designate like or conesponding parts of Rg. 3 and the detailed description thereof will be omitted. As shown 
in Fig. 13, the token 12 comprises the user private-key holding unit 18, the decryptor unit 19. the utilization-value cre- 
ating unit 20. the utilization-value holding unit 21, the token private key holding unit 23, the digital signature unit 24, a 

35 control unit 30. a history creating unit 31 . a calculating unit 32, a center public-key holding unit 33, a signature verifica- 
tion unit 34 and so forth. A clock unit 35 may be provided, if necessary. 

It is arranged according to this embodiment of the invention that communication with the information processing 
unit 1 1 is totally conducted via the control unit 30. which property calls any other processing unit and performs process- 
ing in compliance with a request from the information processing unit 1 1 . 

40 The control unit 30 holds the operating state of the token 12 therein, the operating state being divided into two: a 
normal and a halt mode. In the normal mode, the token 12 performs the decrypting process as described in Embodi- 
ment 1 in compliance with a decrypting request from the information processing unit 11 . In the halt nrode, on the other 
hand, the token 12 accepts no decrypting request but basically only a function restart request (verification value with 
the signature made by the center). The token 12 cancels the halt mode when the request is rightful and performs the 

45 process of ti-ansferring the halt mode to the norma) mode (in addition, may also actually perform the process of output- 
ting a verification value resulting from providing a signature for the verification value hekJ in the utilization-value holding 
unit 21 at that point of time). 

Transferring the normal nxide to the halt nxxJe depends on the number of times the decrypting process, for exam- 
ple, is performed. The calculating unit 32 of Fig. 13 holds the number of times the decrypting process is performed. 
50 When that number of times exceeds a predeternrtined value (e.g.. 1 00 times), for example, the control unit 30 returns a 
message "tiie time limit expired" to the information processing unit 1 1 arxl restores the halt mode. 

When a dock is installed, in for mation as to the preceding halt time held within the control unit 30 may be relied 
upon. In other words, on receiving a request from the information processing unit, the control unit compares the preced- 
ing halt time held in the control unit with the present time and returns tiie message The time limit expired" to tine infor- 
55 mation processing unit 1 1 when a predetermined period of time has passed (e.g., one nmnth). and restores the halt 
mode. 

Referring to Rgs. 14-16, there will be given a detailed description of processing to be performed by the control unit 
30 of the token 1 2. Incidentally, the parts shown with dotted lines in Rgs. 14-16 represents not the process steps taken 
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by the control unit 30 but those ta)^ by relevant constitueni units. 

In Rg. 14, one of the encrypting, verification-value output and function restart requests are Irtput to the control unit 
30 of the tok^ 12 from the irrfonmation processing unit 1 1 . Ftrst, a decision is made on whether the mode of the control 
unit 30 is the hah mode (S61). Unless the halt mode is established, a count in the calculating unit 32 is read and a deci- 

5 sion is made on whether the count exceeds, for example. 100 (S62. S63). ff the count does not exceed 100. the flow 
proceeds to a node B of Rg. 1 6 where the decrypting process is performed. When the count exceeds 100. a verification 
value with a signature is output. In other words, a value in the utilization-value holding unit 21 is read out and the digital 
signature unit 24 is caused to create the verification value with the signature, which is output (S64, S65). Then the ver- 
ification value with the signature and a message "transfer to the halt mode" are returned to the information processing 

10 unit 1 1 (S66). Further, the count in the calculating unit 32 is cleared and the halt mode is restored (S67. S68). 

When the control unit 30 is in the f^t mode at Step S61 . a decision is made on whether the request received is the 
encrypting request, the verification-value oulput request or the hjrtction restart request (S69, S70. S71). When the 
request is the encrypting request, a message "the halt mode at present" is returned to the information processing unit 
1 1 , and the processing is terminated (S72). When the request is the verificatiorvvalue, the verification value in the utill- 

15 zation-value holding unit 21 is read out and tiie digital signature unit 24 is caused to create the verification value with 
the signatijre. which is output (S73, S74). Then the verification value with the signature is returned to the information 
processing unit 1 1 , and the processing is terminated (S75). When the request is the function restart request, the func- 
tion restart process at a node A is followed. When the request recaved is not the encrypting request, the verification- 
value output request nor the function restart request, an error is returned to the information processing unit 1 1 , arxl the 

20 processing is terminated (S76). 

Rg. 15 shows the function restart process. In Rg. 15, the received veriftcation value with the signature is delivered 
to the digital signature unit 24 so as to verify tiie correctness of the signature (S77) . ff the signatjre is conrect, the ver- 
ification value thus delivered is compared with the verification value in the utilization-value holding unit 21 and examined 
whether both conform to each ottier (S78 - S80). If botii conform to each other, the mode of the cortrol unit is trans- 

25 ferred from the halt mode to the normal mode, and a message "furKtion restart" is returned to the information process- 
ing unit 11 (S81. S82). If tiie signature is irKX)rrect at Step S78, a message incorrect signature' is returned to the 
information processing unit 1 1 , and the processing is terminated (S83). When tiie verification value is inconsistent at 
Step S80, a message Inconsistent verification value" is returned to the irrformation processing unit 11, and the 
processing is terminated (S84). 

30 Rg. 16 refers to a case where the count does not exceed a threshold value, for exanple. 100. In Rg. 16. whether 
or not tiie request is the encrypting request is inspected (S85). When it is the encrypting request, the delivered data ts 
sent to the decryptor unit 19 (588). The decryplor unit 19 carries out the encrypting operation {S89 - S93). When the 
request is not the encrypting request, a decision is made on whether it is the verification-value request (S86). When it 
is the verification value request, the flow proceeds to a node C of Rg. 14 where tiie verification-value output process is 

35 performed. When the request is not the verification-value output request at Step S86, an error is returned to the infor- 
mation processing unit 1 1 . and the processing is terminated (S87). 

The description of the processing in the control unit 30 of the token 12 is terminated for the moment 
Although it has been arranged to restore the halt mode even when the verification value request is made from the 
irrformation processing unit 1 1 according to this errtxxliment of tiie invention (transfening from Step 86 of Rg. 16 to the 

40 node C of Rg. 14), this arrangement need not necessarily be made. With respect to the verification value request in the 
normal mode, for example, the verification value is updated and tiien a signature is provided for the verification value 
held at that point of time so that the then value may be returned (this merit will be described at the end of the description 
of this emtxxJiment of the invention). 

The decryptor unit 19 artd the user private-key holding unit 18 have the same functions as those described in 

45 Embodiment 1 of the present invention. 

The history creating unit 31 performs, as also shown in Rg. 1 6, the process of generating three sets of the informa- 
tion identifier delivered from the decryptor unit 19 and the present verification value and delivering them to the control 
unit 30 as the utilization history. 

With respect to the history ud delivered from the history creating unit 31 , the utilization-value creating unit 20 per- 

50 forms the process of calculating the following htash value, 

Hu = Hash (ud) [Numerical F=brmula 3] 

and storing the calculated result in the utilization-value holding unit 21. which holds the verification value at that point 
55 of time. 

As in Embodim^ 1 of the present invention, the digital signature unit 24 uses the private key held in tiie token pri- 
vate key holding unit 23 hokJing the special private key for the token to provide the digital signature with respect to the 
value given. According to this embodiment of the invention, further, the signatijre verif k;ation unit 34 is provided so as 
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to verify whether the signature delivered by the use of the pubGc key of tfie center heJd in the center put^c-key holding 
unit 33 is the signature of the center. Digital signature technology such as RSA signature is basically usable for these 
constituent units; however, the detailed description thereof will be omitted as it is wet) known technology. 

Fig. 1 7 shows the ccnstruction of the information processing unit 1 1 according to this entxxliment of the invertion, 

5 wherein like reference characters designate like or corresponding parts of Fig. 2. As shown in Rg. 1 7, though the con- 
struction is substantially similar to what is shown in Embocfiment 1 of the present invention, the token enters the halt 
mode at a certein point of time in the information processing unit 1 1 according to this embodiment of the invention and 
in order to make the function restart a history has to be transmitted to the center to cause the center to send the restart 
message accordingly. Therefore, a verification value recepticn unit 36 for receiving a verif k^ation value with a signature 

10 from the center is slightly varied. Further, the history held in the history holding unit 1 6 is also different in construction. 
Rg. 18 shows the construction of the recovery unit 13 of the center according to this embodiment of the invention, 
wherein like reference characters designate like or corresponding parts of Rg. 5. In comparison with the constitution of 
Emtxxliment 1 of the present inventim, since the verification value with the signature has to be sent to the information 
processing unit 1 1 when the correctness of a history is verified, there are additionally installed constituent units for the 

15 purpose; namely, a center private-key hokfing unit 37, a digital signature unit 38 and a verification-value-with-signature 
transmitting unit 39. As the utilization history sent from the information processing unit 1 1 is different in construction, the 
history processed in the recovery center naturally differs. 

Rgs. 19A to 19E show the construction of the utilization history held in each of tiie constituent units. 

Rg. 1 9A refers to the utilization history recorded in the history hoWing unit 1 6 of the information processing unit 1 1 . 

20 The contents of the irxiividual history include two: a pair of irtforrriation identifier shown in Rg. 19C and verifrcation value 
heW in the token at tiiat point of time. 

When the history is sent from the information processing unit 1 1 to the center, the verifcation value with the signa- 
ture of the token is affixed to the last position of the line of the history shown in Rg. 19B. The verification value vnth the 
signature is output when tiie token 12 ceases to function and the token 12 provides the verification value with the sig- 

25 nature at that point of time shown in Rg. 1 9D. 

The center employs the verification value with the signature for verifying the history shown in Rg. 19D. When the 
correctness is proved as a result of verification, the center provides the verifk:ation value attached to ttie last FX)sition 
as a message for restarting the function of the token 1 2 with a signature and the value thus obtained is sent to the infor- 
mation processing unit 1 1 . This is shown in Rg. 19E. 

30 The processing performed by the recovery unit 13 will sutisequentiy be described. When a history is transmitted 
from the information processing unit 11, it is received by the history reception unit 25. The history received is stored in 
the history holding unit 26 and also delivered to the signature verification unit 29. The signatjre verification unit 29 
selects the public key of the token 1 2 connected to the information processing unit 1 1 which has transmitted the history 
from among the plurality of token public keys stored in the token public-key hofoing unit 28, and verifies the signature of 

35 the history using the putslic key The verified result is held together with the history stored in the history holding unit 26. 
When the reception of the history Is completed, the history verification unit 27 starts operating. The history verifi- 
cation unit 27 refers to not only the history received now but also the result of verifying the signature affixed thereto. If 
the result of verifying the signature is incorrect, processing tiiereafter is not performed. If the result of verifying the sig- 
nature is correct, it is further verified whether the contents of the signature are correct. 

40 The process of verifying the contents of the signature is performed as follows: 

(1) It is assumed that the line of the history sent is as follows: 

(idi, huo), (id2, hui), (ids, hu2) (i6n, hun-i), sign (hun) where kl = information kJentifier, hu = verification value at 

a point of time the history is created, and sign 0 = sign of the token. 
45 (2) The verification value sent by the token previously is found out of the history holding unit arvl defined as Mould. 

(3) The verification value huo is taken out of the initial history (IDi, huo) of the utilization history tiiat has been sent 
to make it certain whether the verification value is equal to Mould. 

(4) Sutjsequently, (IDi, huo) is calculated to make it certain whether tfie (IDi, huo) conforms to hui. 

(5) This step is r^eatedly taken up to the final verification value hUn likewisa 

so (6) On condition that the utilization history has passed every inspection, it is regarded as being correct. 

Only when the history is judged correct through the verification process, the final verification value Y\u„ is smt to 
the signature verification unit, so that a digital signature is provided by means of the pulDfic key of the center. Then the 
verification value with the signature of ttie center is sent back to tiie information processing unit from which the history 
55 has been transferred. 

Wrtfi the arrangement above, since the function of the token is stopped at a certain point of time, the user of the 
information processing unit has to send a conect history to the c^ter in order to restart the function of the token. There- 
fore, the user can be urged to recover tiie history. 
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Since the final verification value is recorded on the center side, verification is proved to be simply unsuccessful 
even in a case where the correct history sent from the token is partially destroyed for some reason or other; conse- 
quently, no change is caused to the data held on the center side. Therefore, normal verification is carried out by making 
the token send the history again. 
5 Even when part of the history is destroyed (or lost), almost all the rest may be made verif iabi e at the time the history 

is verified by causing the token to output the verification value autonomously 

More specifically, not only when the user demands a verif tcation value as described above but also when the load 
of the token is low, the token is allowed to output autonomously the verification value with the signature it hoUs at that 
point of time, so that even when part of the history is destroyed (or lost), atnx^st all the rest becomes verifiable at the 
10 time the history is verified. 

In this case, the utilization history sent to the center is constructed as shown in Rg. 20, for example. At this time, it 
is assumed that a history 25 has been lost by accident on the information processing unit side. 

In the case of a utilization history having the verification value shown atMve at only the last position, the verification 
of a history 26 and thereafter is possible. Notwithstanding the fact that the contents of from histories 1 - 24 have not 
IS been lost, their correctness remains unverif iable. 

When the history 25 is lost, only a history 24 becomes unveriftaUe and the remaining histories are made verifiatile 
by inserting verification values with signatures halfway throughout More specifically, histories from 1 to 10 are made 
verif iatsle by a verification value 1 with a signature; histories from 1 1 to 23 t>y a verification value 2 with a signature; his- 
tories from 25 to 36 by a verification value 3 with a signature; and histories from 37 to 57 by a verification value 4 with 
20 a signature. 

Thus, most of the remaining histories are made verif iatJe even when part of any history is lost t>y inserting verifica- 
tion values among the histories at suitatile intervals. 

In order to materialize the arrangement above, a decision unit for deciding whether the load is low is provided in the 
control unit within the token and when the load of the token is low. it is only needed to autorwmously create the verifi- 
es cation value vnth the sigriature. 

Moreover, it may be arranged ^t the verification value with the signature is output t>y the tntormation processing 
unit, that is, in compliance with a request from the user unless the token does the operation autonomously. Conse- 
quently, the processing may be altered from not causing the node C (Step 864) of Fig. 14 to branch off from the node 
C of Fig. 16 but creating a verification value with a signature by updating the verification value and returning the verif i- 
30 cation value to the information processing unit 1 1 . 

Further, time information as the utilization history is made retrievable by letting the token have the dock function, 
whereby the recovery center can be informed of not solely the history about which information has been utilized but also 
the time when the information is used. The dock unit has an ordinary dock function and should only function as what 
outputs the present time in accordance with the request made by hoWing the date induding years, months and days. 
35 and the time. In order to indude the time in tiie history, it Is only needed to couple the time information to the information 
identifier. With the provision of the clock fundion. "the time passed after the preceding hair can be set as the cortdition 
of restoring the above-described hatt mode. 

Although a history to be output outside is provided with tiie verification value held thereby at that poirrt of time 
according to this embodiment of the invention, a count instead of the verification value may be output when the history 
40 is output outside by providing a counter unit in the token so that the count is counted each time the history is output In 
this case, ttie portion as tiie hash function input described until now makes a utilization history and the count held at 
that point of time. 

As set forth above, accorcfing to the present invention, data is not stored in tiie protective apparatjs to reduce tiie 
quantity of held data tiut output outside the protective apparatus, and a verification value having a small quantity of data 

45 is to be stored instead. Consequentiy, the storage capacity and the necessary processing capabilities of the protective 
apparatus can t>e suppressed. Since tiie verification value is sent outside together with a signature, dishonest alteration 
is preventable to ensure that data is verified. Moreover, even tftough data are dispersed for storage, the order of data is 
restored to facilitate data verification by adding order-restoring information to the data to make the order of such data 
restorabte. Since the relevant processing is made continuously performatsle when the protective apparatus receives a 

so value resulting from providing the signature of a right person for the data held by the protective apparatus, the process- 
ing is made possit>le only by sending the data heki in the protedive apparatus to the right person and then sending back 
the data therefrom. Therefore, verification data is sent to tiie right person at all times to ensure tiiat the verification data 
is recovered. Even though part of the data is desti^oyed or the like, most of the remaining data can be verified for certain 
by outputting the verification value with the signature frequentiy. 

55 The foregoing description of a preferred emlxxJimerrt of tiie invention has been preserrted for purposes of illusfra- 
tion and description. It is not intended to be exhaustive or to limit the invention to the precise form disdosed. and mod- 
ifications and variations are possible in light of the above teachings or may be acquired from practice of the invention. 
The en*odiment vras chosen and described in order to explain tiie principles of the invention and its practical applica- 
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tion to enable one skilled in the art to utilize the irventtcvi in various enixxlinrients and with various modifications as are 
suited to the particular use contenplated. It is intended that the scope of the invention t>e defined by the claims 
appended hereto, and their equivalents. 

5 Claims 

1 . A data verifying method, comprising the steps of: 

creating a verification value of a date body ir^ide a protective apparatus from a verification value of the relevant 
TO data body out of a p>lurality of data bocfies generated in sequence and a verification value of a data body pre- 

cecfing the relevant data body; 

creating a verification value with a signature by adding a digital signature inside the protective apparatus to the 
verification value created for the last data body out of the plurality of data bodies tube verified at a time: 
serxjing the verification value with the signature outside from the protective apparatis; and 
15 verifying the plurality of data bodies based on the plurality of data txxJies and the verification value with the sig- 

nature. 

2. An apparatus for creating date to be verified, said apparatus comprising: 

20 means for generating date bodies in sequence: 

verification value storage means for storirtg verification values; 

verification value creation means for creating a new verification value from the verification value stored in the 

verification value storage means and a newly generated date body arxJ updating the verification value stored t 
in the verification value storage means to the new verification value; arKJ 
25 signature means for atteching a signatjre to the verification value stored in the verification value storage 

means at predetermined timing: 

wherein said verification value creation means, said verification value storage means arxl said signature 
means are installed in a protective apparatus. 

30 3. A date verifying apparatus, comprising: 

a plurality of date bodies generated in sequence; 

means for receiving a verification value with a signature resulting from providing a signature for the verification 
value calculated from the plurality of date bodies; 
35 signature verifying means for verifying the signature on the verification value received; and 

verifying means for verifying the correctness of the plurality of date bodies received from the verification value 
mth the signature verified by the signature verifying means. 

4. A history holding method tor holding in a protective apparatus only a verification value resulting from sequential cal- 
4o culations with respect to a group of history date comprising: 

a plurality of continuous history data, and providing a signature for only the verification value when the verifi- 
cation value is output from the protective apparatus outside. 

45 5. A history holding apparatus comprising: 

date input means for inputting a plurality of continuous date; 
date processing means for processing the date: 

verification value creation means for creating a verification value with history date relevant to the date process- 
50 ing and the verification value held at this point of time as inputs: 

verification value holding means for holding the verification value thus created; and 
signature means for providing a signature for the verification value; 

wherein said verification value creation means, said verification value holding means and said signature 
means are at least instelled in a protective apparatus. 

55 

6. A history holding apparatus as claimed in claim 5. wherein unidirectional functions are used for calculations appli- 
cable to said verification value creation means. 
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7. A history holding apparatus as claimed in ctaim 5. wherein the history data is in the form of a combination of the 
history data body and the verification value at the time the history data is processed. 

8. A history holding apparatus as claimed in daim 5. further comprising counter means for counting each time data is 
5 processed, wherein the history data in the history data group is in the form of a combination of the count when the 

data is processed and a Nstory body. 

9. A history holdng apparatus as claimed in ctaim 5, wherein the venftcation value with the signature is output in com- 
pliance with a user's request 

10 

1 0. A history holding apparatus as claimed in daim 5, wherein the history holding means comprising a single CPU with 
software; and 

wherein when the load of the CPU applied by the data processing means is low, the signature means cre- 
ates and outputs the verification value with the proper signature 

IS 

11 . A history holding apparatus as daimed in claim 5. further comprising function halt means for stopping the function 
of the data processing means at a point of time the verification value is output until a proper instruction is given from 
the outside. 

20 12. A history holding apparatus as claimed in daim 11, further conprising haft condition holding means for stopping 
the function, wherein when the conditions described in the haft condition holding means are met ttie function halt 
means outputs the verification value with the signature written thereto and stops its furx:tion. 

1 3. A history hdding apparatus as daimed in ctaim 1 1 , further comprising proper put)lic-key holding means for holding 
ss a public key of an external right person, wherein the furx^tion haft means verifies that an accepting instiuction is 

intended to restore tiie function conesporxJing to the lastiy-output verification value provided with a digital signature 
made by the external right person and tiiat by verifying the signature with the public key held by the proper public- 
key holding means at the time of receiving the instixtction, whether or not the verification value wrth the signature is 
equal to the verification value held by the verification value holding means. 

30 

14. A history verifying apparatus conrprising: 

data Input means for inputting a verification value with a signatijre, the signature being provided for the verifi- 
cation value calculated from a pluralfty of continuous history data in group arxt from the data groups; 
35 signature verifying means for verifying the signature of the verification value thus receved with the signature: 

arxi 

verifying means for verifying the correctness of the data group received from the data group received and the 
verification value whose signature has been verified. 

40 15. A history verifying apparatus as daimed in daim 14, further comprising previous verification value storage means 
for storing the verification value received the last time; 

wherein the verifying means employs the previous verification value when making verification. 

16. A history verifying apparatus as daimed in daim 14, wherein tiie calculations for use in said verifying means are 
45 based on unidirectional functions. 

1 7. A history verifying apparatus as daimed in claim 1 4, wherein the history data is in the form of a combination of the 
history data body and the verification value at the time the history data is processed. 

50 18. A history verifying apparatus as claimed in daim 1 4, wherein the history data in the history data group is in the form 
of a combination of the value of the counter when the data is processed and a history txxiy. 

19. A history holding apparatus comprising: 

55 data storage means for holding data; 

haft condition holding means for holding predetermined conditions at the time tiie function is stopped; 
function halt means for stopping the function when the conditions held in the halt condition hdding means are 
met and keeping tiie function stopped until a proper instruction is received from the outside; 
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private-key holding means for holding a private key; 

digital signature means for proving a digital signature using the private key held in the private-key holding 

means for the data group held in data holding means; 

digital signature holding means for holding the digital signature affixed; and 

proper public-key holding means for holding the putjiic key of an external right person, wherein the function halt 
means verifies that an accosting instruction is interxled to restore the function conesponding fo the digital sig- 
nature provided by the external right person for the cfigital signature held in the digital signature holding means 
and that by verifying the signature with the public key held by the proper puWic-key holding means at the time 
of receiving the instruction, whether or not the value with the signature is equal to the value held by the digital 
signature holding means. 

20. An electronic equipment comprising: 

function halt means for stopping at least part of the function of an electronic equipment body when predeter- 
mined conditions are met; 
means for outputting predetermined data outside; 

means for receiving data with a signature, the data being created by providing the signature for the predeter- 
mined data; 

signature verifying means for verifying the signature with respect to the data with the signature: and 

means for releasing the halt state of that part of the function when the correctness of the signature of the data 

with the signature is verified by the signature verifying means. 

21 . A computer program product tor effecting interaction between a data creation apparatjs and a data recovery appa- 
ratus for recovering data bodies that are output from the data weation apparatus, which comprises means for gen- 
erating the data bodies in sequence, verification value hoUing means for holding verification values, verification 
value creation means for creating a new verification value from ttie verification value held in the verification value 
hoWing means and a newly generated data body arxi updating the verification value held in the verification value 
holding means to the new verification value, and signature means for attaching a signature to the verification value 
hekl In the verification value holding means at predetermined timing, characterized by causing a computer to take 
the steps of: 

storing the data body that is output from the data creation apparatus and the verification value provided with 
the signature, and 

sending the data body and the verification value with the signature thus stored therein to the data recovery 
apparatijs at predetermined timing. 
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FIG.4 
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FIG.8 
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